keyrate with mismatch...• Assumption: Alice’s and Bob’s labs are secure and trusted. • Use...
20
Security proof of practical quantum key distribution with detection-efficiency mismatch Yanbao Zhang NTT Research Center for Theoretical Quantum Physics NTT Basic Research Lab, Japan Based on the joint work arXiv:2004.04383 with Patrick J. Coles, Adam Winick, Jie Lin, and Norbert Lütkenhaus
Transcript of keyrate with mismatch...• Assumption: Alice’s and Bob’s labs are secure and trusted. • Use...
Security proof of practical quantum key distribution with detection-efficiency
mismatch
Yanbao Zhang
NTT Research Center for Theoretical Quantum Physics
NTT Basic Research Lab, Japan
Based on the joint work arXiv:2004.04383 with Patrick J. Coles, Adam Winick, Jie Lin, and Norbert Lütkenhaus
1
● Detection-efficiency mismatch due to manufacturing and setup
*Detectors considered in this work are threshold detectors.
● Detection-efficiency mismatch induced by Eve
𝜂1
𝜂2
Polarized photons
PBS
Why detection-efficiency mismatch matters?
It is difficult to build two detectors with identical efficiency.
𝜂1
𝜂2
Polarized photons
PBS
Zhao et al., Phys. Rev. A 78, 042333 (2008)
spatial-mode-dependent temporal-mode-dependent
Rau et al., IEEE J. Quantum Electron. 21, 6600905 (2014)Sajeed et al., Phys. Rev. A 91, 062301 (2015) Chaiwongkhot et al., Phys. Rev. A 99, 062315 (2019)
2
● Efficiency mismatch helps Eve to attack QKD systems.
● Efficiency mismatch can cause fake violations of an entanglement witness.
Lydersen et al., Nat. Photon. 4, 686 (2010) Gerhardt et al., Nat. Commun. 2, 349 (2011)
Problems caused by efficiency mismatch
In the presence of efficiency mismatch, the detection events are not fair samples. If only detection events are used, a Bell inequality can be violated even using classical light [Gerhardt et al., Phys. Rev. Lett. 107, 170404 (2011)].
3
Source-replacement description[Bennett, Brassard, Mermin, PRL 68, 557 (1992); Curty, Lewenstein, Lütkenhaus, PRL 92, 217903 (2004); Ferenczi, Lütkenhaus, PRA 85, 052310 (2012)]
| ۧ𝛹 𝐴𝐴′ = (| ۧH 𝐴| ۧH 𝐴′ + | ۧV 𝐴| ۧV 𝐴′)/ 2
Alice Entanglementsource
𝐴
𝐴′ sentto Bob
POVM
{𝑀𝑥𝐴 = ۧ|𝜑𝑥 ൻ𝜑𝑥|}
AliceSingle-photon
source
x ∈ 0,1,2,3
x {𝑝𝑥 = 1/4, ۧ𝜑𝑥
𝜑𝑥 ∈ {H, V, D, A}
Prepare & Measure BB84 [Bennett and Brassard (1984)]
Protocol analyzed in this work
Random number• Assumption: Alice’s and Bob’s labs are
secure and trusted.
• Use of the entanglement-based scheme for security analysis.
1) 𝜌𝐴𝐴′ 𝜌𝐴𝐵.
2) Alice’s measurements are ideal.
• Warning: System 𝐴′ is two-dimensional, but the system 𝐵 arriving at Bob can be infinite-dimensional.
• Detection-efficiency mismatch exists in Bob’s measurement setup.
𝐴′ sentto Bob
4
Active Detection Passive Detection
Bob’s measurements & efficiency mismatch
PR – Polarization RotatorPBS – Polarizing Beam Splitter50/50 BS – 50/50 Beam Splitter
PR PBS
H/D
V/A
50/50 BS
PBSH/V
PBSD/A
A
V
D
H
Mode H/D V/A
1 𝜂1 𝜂2
2 𝜂2 𝜂1
Efficiency mismatch model considered Mode H V D A
1 𝜂1 𝜂2 𝜂2 𝜂2
2 𝜂2 𝜂1 𝜂2 𝜂2
3 𝜂2 𝜂2 𝜂1 𝜂2
4 𝜂2 𝜂2 𝜂2 𝜂1
Efficiency mismatch model considered
*Our method works for arbitrary, characterized efficiency mismatch.
2
Random bit b
Mode 2
Mode 1Mode 1
3
4
5
Obstacle to proving security with efficiency mismatch
• Without efficiency mismatch, the squashing model exists. A qubit-based security proof still applies.
[Beaudry, Moroder, Lütkenhaus, Phys. Rev. Lett. 101, 093601 (2008);
Tsurumaru and Tamaki, Phys. Rev. A 78, 032302 (2008)]
• With efficiency mismatch, the above squashing model doesn’t work.
• Previous security proofs with efficiency mismatch assume that the system arriving at Bob contains at most one photon. [Fung et al., Quantum Inf. Comput. 9, 131 (2009); Lydersen and Skaar, Quant. Inf. Comp. 10, 0060 (2010);
Bochkov and Trushechkin, Phys. Rev. A 99, 032308 (2019); Ma et al., Phys. Rev. A 99, 062325 (2019)]
Our contribution: We develop a method to handle the infinite-dimensional system
received by Bob.
*In parallel with us, Trushechkin recently developed an alternative method [arXiv:2004.07809].
Mutiphoton state Single-photon stateSquashing
6
Alice Bob
Announcement Announcement
Sifting Sifting
Key map Key map
Brief introduction to a numerical approach for security proof
𝜌𝐴𝐵
Measurement {𝑀𝑥𝐴} Measurement {𝑀𝑦
𝐵}
1. A protocol can be described by a set of POVMs {𝑀𝑥𝐴⊗ 𝑀𝑦
𝐵 } (measurements), Kraus operator 𝒢
(announcements and sifting), and Key map 𝒵 (forming key). The state 𝜌𝐴𝐵 is constrained by observations 𝑝𝐴𝐵 𝑥, 𝑦 --- the expectation values of POVMs.
QKD protocol
Key rate: 𝐾 = 𝛼 − 𝐻 𝐴 𝐵 , where 𝛼 forprivacy amplification and 𝐻 𝐴 𝐵 for errorcorrection. *Collective attacks are considered, and the key is defined by Alice.
𝛼 = min𝜌𝐴𝐵
𝐷 𝒢 𝜌𝐴𝐵 ||𝒵(𝒢 𝜌𝐴𝐵 )
൝𝜌𝐴𝐵 ≥ 0, Tr 𝜌𝐴𝐵 = 1
Tr (𝑀𝑥𝐴 ⊗ 𝑀𝑦
𝐵 𝜌𝐴𝐵)= 𝑝𝐴𝐵 𝑥, 𝑦
Key-rate calculation
2. Once description is given, the key rate (privacy amplification part) takes the form of min 𝑓(𝜌𝐴𝐵) , where one needs to minimize 𝑓 depending on 𝜌𝐴𝐵 (Eve’s attack).
3. As 𝑓 is a convex function, we can calculate both a lower bound and an upper bound on min𝑓(𝜌).
Winick, Lütkenhaus, Coles, Quantum 2, 77 (2018)
Coles, Metodiev, Lütkenhaus, Nat. Commun. 7, 11712 (2016)
7
Dimension reduction by flag-state squasher• Key observation: Each POVM element 𝑀𝑦
𝐵 , 𝑦 ∈ 1,2, … , 𝐽 , is block-diagonal with respect
to various photon-number subspaces.
• For a photon-number cutoff 𝑘 (𝑛 ≤ 𝑘)- and (𝑛 > 𝑘)-photon subspaces
Original POVM:
𝑀𝑦𝐵=
𝑀𝑦,𝑛≤𝑘𝐵 0
0 𝑀𝑦,𝑛>𝑘𝐵
Squashed POVM:
෩𝑀𝑦෨𝐵 =
𝑀𝑦,𝑛≤𝑘𝐵 0
0 | ۧ𝑦 |𝑦ۦ
For an arbitrary input state 𝝆𝑩, Tr (𝑴𝒚𝑩𝝆𝑩) = Tr ( ෩𝑴𝒚
෩𝑩𝜦(𝝆𝑩)), ∀ 𝒚.
H𝑛≤𝑘
⊕
H𝑛>𝑘
r
𝑀𝑦,𝑛>𝑘𝐵 | ۧ𝑦 |𝑦ۦ
Squasher 𝜦⊕
H𝑛≤𝑘
H𝐽
Two equivalent descriptions of the measurement process.
The description using the squasher Λ is pessimistic, as it allows Eve to completely learn Bob’s outcome when 𝑛 > 𝑘.
A lower bound on 𝑝𝑛≤𝑘 is required when using the squasher Λ.
Infinite dimensional
Finite dimensional
Bob Bob
8
H𝑛≤𝑘
Step 1: Reducing the dimension
Step 2: Bounding the photon-number distribution
Overview of our method
min𝜌𝐴෩𝐵
𝐷 𝒢 𝜌𝐴 ෨𝐵 ||𝒵(𝒢 𝜌𝐴 ෨𝐵 )
൞
𝜌𝐴 ෨𝐵 ≥ 0, Tr 𝜌𝐴 ෨𝐵 = 1
Tr (𝑀𝑥𝐴 ⊗ ෩𝑀𝑦
෨𝐵 𝜌𝐴 ෨𝐵)=𝑝𝐴𝐵 𝑥, 𝑦
Tr(Π≤𝑘𝜌𝐴 ෨𝐵) ≥ 𝑏𝑘
Accordingly, we need only to solve a finite-dimensional convex optimization problem,and so we can obtain non-trivial lower bounds of the secret key rate.
Our key-rate calculation
*𝜌𝐴 ෨𝐵 is finite-dimensional;
* The operators ෩𝑀𝑦෨𝐵 depend
on efficiency mismatch.
* Π≤𝑘 is the projector onto the (≤-𝑘)-photon subspace.
H𝑛≤𝑘
⊕H𝑛>𝑘
r
𝑀𝑦,𝑛>𝑘𝐵 | ۧ𝑦 |𝑦ۦ
Squasher 𝜦⊕H𝐽
Infinite dimensional
Bob BobFinite
dimensional
H𝑛≤𝑘
9
*Similar bounds have been used for security proofs of QKD without efficiency mismatch, see [Lütkenhaus, PRA 59, 3301 (1999) and Koashi et al., arXiv:0804.0891].
*We use the bounds established in [Y Z and N. Lütkenhaus, PRA 95, 042319 (2017)] for entanglement verification with efficiency mismatch. An alternative bound for active detection with efficiency mismatch was recently derived by Trushechkin, arXiv:2004.07809.
Photon-number distribution bounds• Let 𝑇 be an observable that depends on both the photon number 𝑛 and the efficiency
mismatch (e.g., double click or cross click).
• 𝑇 is block-diagonal. WLOG 𝜌𝐴𝐵 is block-diagonal, i.e., 𝜌𝐴𝐵= σ𝑛=0∞ 𝑝𝑛 𝜌𝐴𝐵
𝑛.
𝑝𝑛 --- the probability that the system arriving at Bob has 𝑛 photons.
If we can find 𝑛-dependent bounds
𝑡obs,𝑛 = Tr (𝜌𝐴𝐵𝑛
𝑇)≥ ቐ𝑡obs, 𝑛≤𝑘
min , ∀𝑛 ≤ 𝑘,
𝑡obs, 𝑛>𝑘min , ∀𝑛 > 𝑘,
then we have
𝑡obs = σ𝑛=0∞ 𝑝𝑛 Tr 𝜌𝐴𝐵
𝑛𝑇 ≥ 𝑝𝑛≤𝑘𝑡obs, 𝑛≤𝑘
min + 1 − 𝑝𝑛≤𝑘 𝑡obs, 𝑛>𝑘min .
𝑝𝑛≤𝑘 ≥𝑡obs, 𝑛>𝑘
min − 𝑡obs
𝑡obs, 𝑛>𝑘min − 𝑡obs, 𝑛≤𝑘
min.𝑡obs, 𝑛≤𝑘
min is less than 𝑡obs, 𝑛>𝑘min
10
PR PBS
H/D
V/AMode H/D V/A
1 𝜂1=1 𝜂2=𝜂
2 𝜂2=𝜂 𝜂1=1
Efficiency mismatch model considered
Random bit b
𝑝𝑛≤𝑘 for active detection
The observable 𝑇 can be the double-click operator 𝐷 or the effective-error operator.
𝑑obs,𝑛 = Tr (𝜌𝐴𝐵𝑛
𝐷)≥ ቐ𝜂
21 − 22−𝑛 , 𝑛 is even;
𝜂
21 − 21−𝑛 , 𝑛 is odd.
Photon number 𝑛
𝜂=1, numerical
𝜂=0.2, numerical
𝜂=1, analytical
𝜂=0.2, analytical
𝑑o
bs,
𝑛m
in
*The numerical results are obtained by solving SDPs [Y Z and N. Lütkenhaus, PRA 95, 042319 (2017)].
*The analytical bounds are motivated and improvethe results in [Trushechkin, arXiv:2004.07809].
Due to the monotonic behavior of 𝑑obs, 𝑛min ,
𝑝𝑛≤𝑘 ≥𝑑obs, 𝑘+1
min − 𝑑obs
𝑑obs, 𝑘+1min
, ∀𝑘.
*Our method works for arbitrary, characterized efficiency mismatch.
11
50/50 BS
PBSH/V
PBSD/A
A
V
D
H Mode H V D A
1 𝜂1=1 𝜂2=𝜂 𝜂2=𝜂 𝜂2=𝜂
2 𝜂2=𝜂 𝜂1=1 𝜂2=𝜂 𝜂2=𝜂
3 𝜂2=𝜂 𝜂2=𝜂 𝜂1=1 𝜂2=𝜂
4 𝜂2=𝜂 𝜂2=𝜂 𝜂2=𝜂 𝜂1=1
Efficiency mismatch model considered
𝑝𝑛≤𝑘 for passive detection
The observable 𝑇 can be the cross-click operator 𝐶.
Photon number 𝑛
𝑐 ob
s,𝑛
min
𝜂=1
𝜂=0.8
𝜂=0.6
𝜂=0.4
𝜂=0.2
*The numerical results are obtained by solving SDPs [Y Z and N. Lütkenhaus, PRA 95, 042319 (2017)].
*The numerical bounds coincide with the analytical ones.
Due to the monotonic behavior of 𝑐obs, 𝑛min ,
𝑝𝑛≤𝑘 ≥𝑐obs, 𝑘+1
min − 𝑐obs
𝑐obs, 𝑘+1min
, ∀𝑘.
𝑐obs,𝑛 = Tr (𝜌𝐴𝐵𝑛
𝐶)≥ 1 + 1 − 𝜂 𝑛 − 2 1 −𝜂
2
𝑛.
*Our method works for arbitrary, characterized efficiency mismatch.
12
Data simulationWe simulate experimental observations 𝑝𝐴𝐵 𝑥, 𝑦 according to a toy model
• at each round Alice prepares a signal state (according to the protocol),
• the channel between Alice and Bob is specified by
𝑡 --- the single-photon transmission probability,
ω --- the depolarization noise,
𝑟 --- the multiphoton probability, i.e., the probability that a single photon randomly depolarized 𝑚 photons (in our simulation 𝑚 = 2),
• Bob performs a measurement (according to the protocol).
*If Bob’s detectors are coupled to several spatial-temporal modes, the optical signal is distributed uniformly at random over these modes.
Task: Lower-bound the key rate given 𝑝𝐴𝐵 𝑥, 𝑦 and characterized efficiency mismatch.
*For this particular case, 𝑝𝐴𝐵 𝑥, 𝑦 are determined by the channel parameters (𝑡, ω, 𝑟)as well as the detector model.
*Our security analysis doesn’t require characterizing the channel between Alice and Bob (i.e., Eve’s attack). Particularly, we don’t assume that the system received by Bob is finite-dimensional.
13
Key rates with trusted loss (in the absence of mismatch)
Active detection
Passive detection
Identical efficiency 𝜂 of Bob’s detectors
Key
rat
e (b
its)
*For data simulation, 𝑡𝜂 = 0.1,ω = 0.05, 𝑟 = 0.05.
*𝑝𝐴𝐵 𝑥, 𝑦 doesn’t change with 𝜂.
For these particular results, our security analysis
• assumes that at most two photons are received by Bob (and so a flag-state squasher is not used).
• when 𝜂 = 1, returns the same key rates as using the usual squashing model [Beaudry, Moroder, Lütkenhaus, Phys. Rev. Lett. 101, 093601 (2008); Tsurumaru and Tamaki, Phys. Rev. A 78, 032302 (2008)].
• suggests that more secret keys can be distilled when the trusted loss inside of Bob’s lab, (1 − 𝜂), increases and the untrusted loss over transmission, 1 − 𝑡 , decreases.
14
Key rates for active detection with efficiency mismatch
One mode, assuming ≤ 2 photons
𝜂2
Key
rat
e (b
its)
*For data simulation, 𝑡 = 0.5,ω = 0.05, 𝑟 = 0.05.
Mode H/D V/A
1 𝜂1=0.2 𝜂2
Efficiency mismatch studied
One mode, flag-state squahser
• When applying a flag-state squasher, we choose the photon-number cutoff 𝑘 = 2.
• The larger the efficiency mismatch, the lower the key rate is.
• Making assumptions on Eve’s attack would overestimate the key rate.
15
Key rates for active detection with efficiency mismatch
One mode, assuming ≤ 2 photons
𝜂2
Key
rat
e (b
its)
*For data simulation, 𝑡 = 0.5,ω = 0.05, 𝑟 = 0.05.
Mode H/D V/A
1 𝜂1=0.2 𝜂2
2 𝜂2 𝜂1=0.2
Efficiency mismatch studied
One mode, flag-state squahser
Two modes, flag-state squasher
• When applying a flag-state squasher, we choose the photon-number cutoff 𝑘 = 2.
• The larger the efficiency mismatch, the lower the key rate is.
• Making assumptions on Eve’s attack would overestimate the key rate.
• Mode-dependent mismatch helps Eve to attack the QKD system.
16
Key rates for passive detection with efficiency mismatch
One mode, assuming ≤ 2 photons
𝜂2
Key
rat
e (b
its)
*For data simulation, 𝑡 = 0.5,ω = 0.05, 𝑟 = 0.05.
Efficiency mismatch studied
One mode, no photon-# assumption
• When applying a flag-state squasher, we choose a photon-number cutoff𝑘 = 2 (for one mode) or 𝑘 = 1 (for four modes).
• The larger the efficiency mismatch, the lower the key rate is.
• Making assumptions on Eve’s attack would overestimate the key rate.
Mode H V D A
1 𝜂1=0.2 𝜂2=𝜂 𝜂2=𝜂 𝜂2=𝜂
17
Key rates for passive detection with efficiency mismatch
One mode, assuming ≤ 2 photons
𝜂2
Key
rat
e (b
its)
*For data simulation, 𝑡 = 0.5,ω = 0.05, 𝑟 = 0.05.
Efficiency mismatch studied
One mode, no photon-# assumption
Four modes, no photon-# assumption
• When applying a flag-state squasher, we choose a photon-number cutoff𝑘 = 2 (for one mode) or 𝑘 = 1 (for four modes).
• The larger the efficiency mismatch, the lower the key rate is.
• Making assumptions on Eve’s attack would overestimate the key rate.
• Mode-dependent mismatch helps Eve to attack the QKD system.
Mode H V D A
1 𝜂1=0.2 𝜂2=𝜂 𝜂2=𝜂 𝜂2=𝜂
2 𝜂2=𝜂 𝜂1=0.2 𝜂2=𝜂 𝜂2=𝜂
3 𝜂2=𝜂 𝜂2=𝜂 𝜂1=0.2 𝜂2=𝜂
4 𝜂2=𝜂 𝜂2=𝜂 𝜂2=𝜂 𝜂1=0.2
18
Summary
• Constructed a flag-state squasher to reduce the system dimension.*The flag-state squasher can be applied to other protocols, see Li and Lütkenhaus, arXiv:2007.08662.
• Established bounds on photon-number distribution directly from experimental observations.
• Proved the security of a prepare & measure BB84 protocol in the presence of efficiency mismatch without a photon-number limit.
• Illustrated the individual effects of trusted loss and untrusted loss on the key rate.
Finite key analysis can also be handled by numerical approach (see the talk “Numerical Calculations of Finite Key Rate for General Quantum Key Distribution Protocols” by Ian George).
19
Summary
• Constructed a flag-state squasher to reduce the system dimension.*The flag-state squasher can be applied to other protocols, see Li and Lütkenhaus, arXiv:2007.08662.
• Established bounds on photon-number distribution directly from experimental observations.
• Proved the security of a prepare & measure BB84 protocol in the presence of efficiency mismatch without a photon-number limit.
• Illustrated the individual effects of trusted loss and untrusted loss on the key rate.
Finite key analysis can also be handled by numerical approach (see the talk “Numerical Calculations of Finite Key Rate for General Quantum Key Distribution Protocols” by Ian George).
Thank you! [email protected]
